We conducted the study to evaluate LAD performances under multiple shift scenarios (such as both application shift and cloud architecture shift). We have found that multiple shift scenarios, although rare in real-world conditions, pose significant challenges in reconstruction and attack detection for LAD models. Detailed experimental results are provided below. Both AE and VAE exhibit increased reconstruction loss for logs collected from environments with multiple shifts (more false positives) and result in decreased performance for LAD modes.
We collected logs from the cloud system under multi-vector attacks, which combine multiple attacks involved in our existing dataset for comprehensive evaluation. The evaluation results for the newly collected attack logs are shown in the table below.Â
Specifically, for our experiment, we considered four types of multi-vector attacks:
H1: CVE-2016-4029 + CVE-2019-5736
H2: CVE-2017-5487 + CVE-2020-15257
H3: CVE-2016-4029 + CVE-2019-5736 + CWE-200
H4: CVE-2017-5487 + CVE-2020-15257 + CVE-200
We observe that the anomaly values for multi-vector attacks are consistently higher than those for single attacks. Detailed data supporting this observation are presented above. These results suggest that multi-vector attacks, by introducing more anomalous behaviors, may make the attacks more detectable within cloud systems.